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Abstract. Multiparty session types are a type system that can ensure the safety and 
liveness of distributed peers via the global specification of their interactions. To con- 
struct a global specification from a set of distributed uncontrolled behaviours, this pa- 
per explores the problem of fully characterising multiparty session types in terms of 
communicating automata. We equip global and local session types with labelled tran- 
CO sition systems (LTSs) that faithfully represent asynchronous communications through 

^~~^ unbounded buffered channels. Using the equivalence between the two LTSs, we identify 

^^ a class of communicating automata that exactly correspond to the projected local types. 

We exhibit an algorithm to synthesise a global type from a collection of communicat- 



(N 



5-H ing automata. The key property of our findings is the notion of multiparty compatibility 



which non-trivially extends the duality condition for binary session types. 



Oh 
< 
\Q 1 Introduction 

I— I Over the last decade, session types [16, 24] have been studied as data types or functional 

)—^ types for communications and distributed systems. A recent discovery by [6, 26], which 

l^ establishes a Curry-Howard isomorphism between binary session types and linear log- 

c/3 ics, confirms that session types and the notion of duality between type constructs have 

, ^, canonical meanings. On the practical side, multiparty session types [3, 17] were pro- 

posed as a major generalisation of binary session types. It can enforce communication 
^-H safety and deadlock-freedom for more than two peers thanks to a choreographic spec- 

^ ification (called global type) of the interaction. Global types are projected to end-point 

i«j types (called local types), against which processes can be statically type-checked and 

^j. verified to behave correctly. 

^-_l The motivation of this paper comes from our practical experiences that, in many 

■ ' situations, even where we start from the end-point projections of a choreography, we 

(^ need to reconstruct a global type from distributed specifications. End-point specifica- 

(T^ tions are usually available, either through inference from the control flow, or through 

^-H existing service interfaces, and always in forms akin to individual communicating finite 

►;>. state machines. If one knows the precise conditions under which a global type can be 

• '~j constructed (i.e. the conditions of synthesis), not only the global safety property which 

rN multiparty session types ensure is guaranteed, but also the generated global type can 

^ be used as a refinement and be integrated within the distributed system development 

life-cycle (see § 5 for applications [22, 23]). This paper attempts to give the synthesis 
condition as a sound and complete characterisation of multiparty session types with re- 
spect to Communicating Finite State Machines (CFSMs) [5]. CFSMs have been a well- 
studied formalism for analysing distributed safety properties and are widely present in 
industry tools. They can been seen as generalised end-point specifications, therefore, 
an excellent target for a common comparison ground and for synthesis. As explained 
below, to identify a complete set of CFSMs for synthesis, we first need to answer a 
question - what is the canonical duality notion in multiparty session types? 



Characterisation of binary session types as communicating automata The subclass 
which fully characterises binary session types was actually proposed by Gouda, Man- 
ning and Yu in 1984 [15] in a pure communicating automata context.' Consider a sim- 
ple business protocol between a Buyer and a Seller from the Buyer's viewpoint: Buyer 
sends the title of a book, Seller answers with a quote. If Buyer is satisfied by the quote, 
then he sends his address and Seller sends back the delivery date; otherwise it retries 
the same conversation. This can be described by the following session type: 

jUt.!title; ?quote; !{ok:!addrs;?date;end, retry : t } (1.1) 

where the operator ! title denotes an output of the title, whereas ?quote denotes an in- 
put of a quote. The output choice features the two options ok and retry and ; denotes 
sequencing, end represents the termination of the session, and jUt is recursion. 

The simplicity and tractability of binary sessions come from the notion of duality 
in interactions [14]. The interaction pattern of the Seller is fully given as the dual of the 
type in (1.1) (exchanging input ! and output ? in the original type). When composing 
two parties, we only have to check they have mutually dual types, and the resulting 
communication is guaranteed to be deadlock-free. Essentially the same characterisation 
is given in communicating automata. Buyer and Seller's session types are represented 
by the following two machines. 

?retry Iretry 

We can observe that these CFSMs satisfy three conditions. First, the communications 
are deterministic: messages that are part of the same choice, ok and retry here, are dis- 
tinct. Secondly, there is no mixed state (each state has either only sending actions or 
only receiving actions). Third, these two machines have compatible traces (i.e. dual): 
the Seller machine can be defined by exchanging sending to receiving actions and vice 
versa. Breaking one of these conditions allows deadlock situations and breaking one of 
the first two conditions makes the compatibility checking undecidable [15]. 

Multiparty compatibility This notion of duality is no longer effective in multiparty 
communications, where the whole conversation cannot be reconstructed from only a 
single behaviour. To bypass the gap between binary and multiparty, we take the synthe- 
sis approach, that is to find conditions which allow a global choreography to be built 
from the local machine behaviour. Instead of directly trying to decide whether the com- 
munications of a system will satisfy safety (which is undecidable in the general case), 
inferring a global type guarantees the safety as a direct consequence. 

ACIcommit 





Fig. 1. Commit example: CFSMs 

We give a simple example to illustrate the problem. The commit protocol in Figure 1 
involves three machines: Alice A, Bob B and Carol C. A orders B to act or quit. If act is 
sent, B sends a signal to C, and A sends a commitment to C and continues. Otherwise B 
informs C to save the data and A gives the final notification to C to terminate the protocol. 

Villard [25] independently found this subset in the context of channel contracts [12]. 



This paper presents a decidable notion of multiparty compatibility as a generalisa- 
tion of duality of binary sessions, which in turns characterises a synthesis condition. 
The idea is to check the duality between each automaton and the rest, up to the internal 
communications (1 -bounded executions in the terminology of CFSMs, see § 2) that the 
other machines will independently perform. For example, in Figure 1, to check the com- 
patibility of trace BC?sig AC?commit in C, we execute the internal communications be- 
tween A and B such that AB! act •AB?act and observes the dual trace BC!sig • AC!commit 
from B and A. If this extended duality is valid for all the machines from any 1 -bounded 
reachable state, then they satisfy multiparty compatibility and can build a well-formed 
global choreography. 

Contributions and Outline Section 3 defines new labelled transition systems for 
global and local types that represent the abstract observable behaviour of typed pro- 
cesses. We prove that a global type behaves exactly as its projected local types, and 
the same result between a single local type and its CFSMs interpretation. These corre- 
spondences are the key to prove the main theorems. Section 4 defines multiparty com- 
patibility, studies its safety and liveness properties, gives an algorithm for the synthesis 
of global types from CFSMs, and proves the soundness and completeness results be- 
tween global types and CFSMs. Section 5 discusses related work and concludes. The 
full proofs can be found in Appendix. 

In Appendix C, we also extend our result to generalised multiparty session types, 
a recent class of multiparty session types [11] with graph-like control flow and paral- 
lelism. The same multiparty compatibility as in § 4 can be used without modification, 
although well-formedness condition need to be generalised. The synthesis algorithm 
relies on Petri net intermediate representations [9] and 1 -bounded behavioural explo- 
ration. Our result is applicable to generate a core part of Choreography BPMN 2.0 
specification [4] from CFSMs. 

2 Communicating Finite State Machines 

This section starts from some preliminary notations (following [8]). e is the empty 
word. A is a finite alphabet and A* is the set of all finite words over A. |x| is the length 
of a word x and x.y or xy the concatenation of two words x and y. Let T be a set of 
participants fixed throughout the paper: VC {A, B, C, . . . , p, q, . . . }. 

Definition 2.1 (CFSM). A communicating finite state machine is a finite transition 
system given by a 5-tuple M = {Q,C,qQ,A, 5) where (1) 2 is a finite set of states; (2) 
C = {pq e 3^ I p 7^ q} is a set of channels; (3) qo ^ Qis an initial state; (4) A is a finite 
alphabet of messages, and (5) 5 C gx (Cx {!,?} x A) x gis a finite set of transitions. 

In transitions, pqla denotes the sending action of a from process p to process q, and 
pq?fl denotes the receiving action of a from p by q. ^, / range over actions and we define 
the subject of an action £ as the principal in charge of it: subj{-pq\a) — subj{qpla) = p. 
A state q^Q whose outgoing transitions are all labelled with sending (resp. receiv- 
ing) actions is called a sending (resp. receiving) state. A state q G Q which does not 
have any outgoing transition is called ^naZ. If q has both sending and receiving outgo- 
ing transitions, q is called mixed. We say q is directed if it contains only sending (resp. 
receiving) actions to (resp. from) the same participant. A path in M is a finite sequence 
of qo,...,q„ (n> 1) such that {qi,i,qi+i) e 5 (0 < i < n — I), and we write q-^q' if 



{q,i,q') E 5. M is connected if for every state q ^ qo, there is a path from qo to q. 
Hereafter we assume each CFSM is connected. 

A CFSM M = {Q,C,qo,A, 8) is deterministic if for all states q E Q and all actions 

e, iqj,q'),{qj,q") e 8 imply q' ^ q".^ 

Definition 2.2 (CS). A (communicating) system 5 is a tuple S — (Mp)pgg3 of CFSMs 
suchthatMp = (gp,C,^0p,A,5p). 

For Mp ~ (Qp,C,qop,A,8-p), we define a configuration of 5 = (Mp)p£y to be a tuple 
s = {q;w) where q — (?p)pGa' with q-^ G gp and where vv = (wpq)p-^qg.j> with Wpq e A*. 
The element ^ is called a control state and q E Qi is the local state of machine M,-. 

Definition 2.3 (reachable state). Let 5 be a communicating system. A configuration 

s' — {q';w') is reachable from another configuration s = {q; w) by the firing of the tran- 
sition t, written s —^ s' or s-^'s', if there exists a G A such that either: 

1. t = (^p,pq!a,^p) e 5p and (a) q'^, = q^i for all p' ^ p; and (b) w'^^ = vvpq.a and 

2. f == (^q,pq?fl,^q) G 5q and (a) q'^, = q^i for all p' ^ q; and (b) Wpq = a.Wpq and 

^p'q' = ^p'q' for ^11 P'q' ^ P=t- 

The condition (1-b) puts the content a to a channel pq, while (2-b) gets the content 
a from a channel pq. The reflexive and transitive closure of -^ is -^* . For a transition 
t — (i,i?,i'), wereferto^by ac/(f).We writeii-^^~^^i,„+i forii-^.S2' • •-^■Sm+i and use 
(p to denote fi • • • tm- We extend act to these sequences: act{ti ■■■tn) = act{t\ )■■■ act{tn)- 

The initial configuration of a system is .sq — {qo',£) with ^o = (^Op)pGa'- ^ final 
configuration of the system is Sf = {q;e) with all qp E q final. A configuration s is 
reachable if io ~>* ■s and we define the reachable set of S as RS{S) = {s \ sq -^* s}. We 
define the traces of a system 5 to be rr(5) = {acf(^) | 3,? G /?5(5),so-^*}- 

We now define several properties about communicating systems and their configu- 
rations. These properties will be used in § 4 to characterise the systems that correspond 
to multiparty session types. Let 5 be a communicating system, t one of its transitions 
and s ~ {q; w) one of its configurations. The following definitions of configuration prop- 
erties follow [8, Definition 12]. 

1. s is stable if all its buffers are empty, i.e., w — e. 

2. s is a deadlock configuration if s is not final, and w = e and each q-g is a receiving 
state, i.e. all machines are blocked, waiting for messages. 

3. s is an orphan message configuration if all q-p E q are final but vv 7^ 0, i.e. there is at 
least an orphan message in a buffer. 

4. s is an unspecified reception configuration if there exists q G J" such that q^ is a 
receiving state and (^q,pq?fl,^q) E 8 implies that |wpq| > and Wpq ^ ah* , i.e q^ 
is prevented from receiving any message from buffer pq. 

A sequence of transitions is said to be k-bounded if no channel of any intermediate 
configuration si contains more than k messages. We define the A:-reachability set of 
S to be the largest subset RSk{S) of RS(S) within which each configuration s can be 



"Deterministic" often means the same channel should carry a unique value, i.e. if {q,cla,q') e 
S and {q,c\a',q") £ 5 then a = a' and q' = q". Here we follow a different definition [8] in 
order to represent branching type constructs. 



reached by a A;-bounded execution from sq. Note that, given a communicating system 
S, for every integer k, the set RSk{S) is finite and computable. We say that a trace (p is 
n-bound, written bound{(p) = n, if the number of send actions in (p never exceeds the 
number of receive actions by n. We then define the equivalences: (1) 5 « 5' is V^, (p € 
Tr{S) -^(pe Tr{S'); and (2) S «„ S' is V^, bound{(p) <n^{(pe Tr{S) -^ (p e Tr{S')). 
The following key properties will be examined throughout the paper as properties 
that multiparty session type can enforce. They are undecidable in general CFSMs. 

Definition 2.4 (safety and liveness). (1) A communicating system S is deadlock-free 
(resp. orphan message-free, reception error-free) if for all s G RS{S), s is not a deadlock 
(resp. orphan message, unspecified reception) configuration. (2) S satisfies the liveness 
property^ if for all s G RS{S), there exists s — >* s' such that s' is final. 

3 Global and local types: the LTSs and translations 

This section presents the multiparty session types, our main object of study. For the 
syntax of types, we follow [3] which is the most widely used syntax in the literature. 
We introduce two labelled transition systems, for local types and for global types, and 
show the equivalence between local types and communicating automata. 

Syntax A global type, written G,G',.., describes the whole conversation scenario 
of a multiparty session as a type signature, and a local type, written by T, T' , .., type- 
abstract sessions from each end-point's view, p, q, • • • G T denote participants (see § 2 
for conventions). The syntax of types is given as: 

G ::= p->p': {aj.Gjjjej \ fit.G \ t | end 

T :■= pl{ai.Ti}iei \ p!{fli.7;},e/ | fit.T | t | end 

a, G A corresponds to the usual message label in session type theory. We omit the men- 
tion of the carried types from the syntax in this paper, as we are not directly concerned 
by typing processes. Global branching type p ^ p': {aj.Gj}jej states that participant 
p can send a message with one of the a, labels to participant p' and that interactions 
described in Gj follow. We require p 7^ p' to prevent self-sent messages. Recursive type 
jUt.G is for recursive protocols, assuming that type variables (t,t', . . .) are guarded in 
the standard way, i.e. they only occur under branchings. Type end represents session 
termination (often omitted), p G G means that p appears in G. 

Concerning local types, the branching type p?{fl,.T;},g/ specifies the reception of a 
message from p with a label among the a,-. The selection type p!{fl,-.7;},g/ is its dual. 
The remaining type constructors are the same as global types. When branching is a sin- 
gleton, we write p ^ p' : a.G' for global, and pla.T or -pla.T for local. 

Projection The relation between global and local types is formalised by projection. 
Instead of the restricted original projection [3], we use the extension with the merg- 
ing operator 1x1 from [10]: it allows each branch of the global type to actually contain 
different interaction patterns. 

Definition 3.1 (projection). The projection ofG onto p (written G fp) is defined as: 



' The terminology follows [7]. 



{pl{aj.Gj\q}jej q = p 
P^{ai■Gj\q}JeJ q = p' 
UjfzjGj \ q otherwise 

I end otherwise 

The mergeability relation ix: is the smallest congruence relation over local types such 

*^^" v/ e (/: n y ) . 7^- M t^ yke{K\j), v j e{j\K).ak^ a ,■ 

When Ti \xi T2 holds, we define the operation U as a partial commutative operator over 
two types such that TUT = T for all types and that: 

p1{ai,.Tk}keK LI Tp1{aj.Tj}jej = p?({fli.(rjt U T[)}keKr\i U W-Tike/fV U {a;.7)'}^gy\^) 

and homomorphic for other types (i.e. "^[Ti] U^[T2] —^[TyU T2] where "^ is a context 
for local types). We say that G is well-formed if for all p e J!, G f p is defined. 

Example 3.1 (Commit). The global type for the commit protocol in Figure 1 is: 

/Xt.A — > B :{act.B — > C : {sig.A — > C : commit.t }, quit.B — > C : {save. A — > C :finish.en6}} 

Then C's local type is: iJ.t.B7{sig.A7{commit.t}, save .A7{finish.end}} . 

LTS over global types We next present new labelled transition relations (LTS) for 
global and local types and their sound and complete correspondence. 

The first step for giving a LTS semantics to global types (and then to local types) is 
to designate the observables (£,£', ...). We choose here to follow the definition of actions 
for CFSMs where a label £ denotes the sending or the reception of a message of label a 
from p to p': £ ::— -pp'la \ pp'?a 

In order to define an LTS for global types, we need to represent intermediate states 
in the execution. For this reason, we introduce in the grammar of G the construct p -^ 
p' : aj.Gj to represent the fact that the message aj has been sent but not yet received. 

Definition 3.2 (LTS over global types). The relation G — > G' is defined as (subj{£) is 
defined in § 2): 

[GRl] p ^ p' : {ai.Gijie, ^^ P ^ p' : 7 {ai-Gijie, (j e /) 

[GR2J p-*p': j{a;.G,},-6/ > Gj [GR3J — ^^^^ '-/ 

Mt.G 4 G' 

\fjel Gj^G'j p,q^ subj{£) Gj^G'j q^subjje) Vi e l\j,G'i = Gj 

p ^ q: {a;.G,},g/ ^ p ^ q: {fl,-.G-},g/ P ^ q: j {ai-G,},g/ ^ p --* q: 7 {ai.G;},g/ 

[GRl] represents the emission of a message while [GR2] describes the reception of a 
message. [GR3] governs recursive types. [GR4,5] define the asynchronous semantics 
of global types, where the syntactic order of messages is enforced only for the partici- 
pants that are involved. For example, in the case when the participants of two consecu- 
tive communications are disjoint, as in: Gi = A ^- B : a.C -^ D : b.end, we can observe 



the emission (and possibly the reception) of b before the emission (or reception) of a 
(by [GR4]). 

A more interesting example is: G2 = A ^ B : a. A -^ C : b.end. We write £1 —ABla, 
£2 ^ABla, ^3 ^AO.b and 4 ^AClb. The LTS allows the following three sequences: 



Gi 


Ih 


> A- 


-iBia.A^C: 


fo.end 


i^A^C: 


ifc.end -^ A~ 


^C 


: h.end -^ end 


Gi 


Ik 


> A- 


-iBia.A^C: 


b.end 


^A^B 


: a.A ^ C : Z^.end -^ A ~ 


^C 


: Z^.end -^ end 


Gi 


iL 


> k- 


-*B:a.A^C 


: b.end 


^A^B 


-.a.A-^C: b.end -^ A- 


^B 


: a. end -h end 



The last sequence is the most interesting: the sender A has to follow the syntactic order 
but the receiver C can get the message b before B receives a. The respect of these con- 
straints is enforced by the conditions p, q ^ subj{t) and q ^ subj{£) in rules [GR4,5]. 

LTS over local types We define the LTS over local types. This is done in two steps, 
following the model of CFSMs, where the semantics is given first for individual au- 
tomata and then extended to communicating systems. We use the same labels (£,£',...) 
as the ones for CFSMs. 

Definition 3.3 (LTS over local types). The relation T — > T', for the local type of role 
p, is defined as: 

[LRl]q!{a,.7;.}„;li^7;. [LR2] q?{a,.7;},,, ^^ T, [LR3] ^'^^'^/^l ^ ^' 

The semantics of a local type follows the intuition that every action of the local type 
should obey the syntactic order. We define the LTS for collections of local types. 

Definition 3.4 (LTS over collections of local types). A configuration s = {T; w) of 
a system of local types {Tplpgy is a pair with T ~ {Tp)p(z'J' ^^"1 w = (wpq)p-^q£j) with 
Wpq G A*. We then define the transition system for configurations. For a configuration 

St ~ (?; w), the visible transitions of st — > s'j = {T';w') are defined as: 

L Tp ^^ Tp and (a) T', = T^i for all p' ^ p; and (b) w'^^ = Wpq • a and w'^,^, = Wp/q/ 

for all p'q' 7^ pq; or 
2. Tq ^^ Tq' and (a) P, == T^i for all p' ^ q; and (b) Wpq == a ■ Wpq and w'^,^, = w^i^i 

for all p'q' 7^ pq. 

The semantics of local types is therefore defined over configurations, following the 
definition of the semantics of CFSMs. Wpq represents the FIFO queue at channel pq. 
We write Tr{G) to denote the set of the visible traces that can be obtained by reducing 
G. Similarly for Tr{T) and Tr(S). We extend the trace equivalences « and «„ in § 2 to 
global types and configurations of local types. 

We now state the soundness and completeness of projection with respect to the LTSs 
defined above. The proof is given in Appendix A. L 

Theorem 3.1 (soundness and completeness). "^ Let G be a global type with partici- 
pants'? and let T — {G \ plpey be the local types projected from G. Then G « {T ',£.). 



The local type abstracts the behaviour of multiparty typed processes as proved in the subject 
reduction theorem in [17]. Hence this theorem implies that processes typed by global type G 
by the typing system in [3, 17] follow the LTS of G. 
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Local types and CFSMs Next we show how to algorithmically go from local types 
to CFSMs and back while preserving the trace semantics. We start by translating local 
types into CFSMs. 

Definition 3.5 (translation from local types to CFSMs). Write T' G T if T' occurs in 
T . Let To be the local type of participant p projected from G. The automaton correspond- 
ing to Tq is ^(To) = (e,C,^o, A, 5) where: (1) g^ {r' | T' e To, rVt,rVA't-r};(2) 
qo = T^ with Tq = fil.T^ and Tg' e Q; (3) C = {pq | p, q G G}; (4) A is the set of {a e G}; 
and (5) 8 is defined as: 

If r = p'!{«,-.r,},ei e Q, then ' PP ^ ' J, 

[(T,{pp \aj),T)ed 

If r = P'?{«,r,},e. e g, then I ;^' ;P'P?«')' ^,) ^ ^^ 
^ ' ■'^•' \(r,(p'p?fl,),r')e5 

The definition says that the set of states Q are the suboccurrences of branching or se- 
lection or end in the local type; the initial state qo is the occurrence of (the recursion 
body of) Tq; the channels and alphabets correspond to those in To; and the transition is 
defined from the state T to its body 7} with the action ppMo,- for the output and p-p'loj 
for the input. If Tj is a recursive type variable t, it points the state of the body of the 
corresponding recursive type. As an example of the translation, see C's local type in 
Example 3.1 and its corresponding automaton in Figure 1. 

Proposition 3.1 (local types to CFSMs). Assume T^ is a local type. Then A{T^) is 
deterministic, directed and has no mixed states. 

We say that a CFSM is basic if it is deterministic, directed and has no mixed states. Any 
basic CFSM can be translated into a local type. 

Definition 3.6 (translation from a basic CFSM to a local type). Let Mp = (g, C, ^o, A, 

and assume M^ is basic. Then we define the translation 'J(Mp) such that 'J(Mp) = 7^ (qo) 
where 'J^{q) is defined as: 

(1) T^(^) = Htq.p'\{aj.7l^iqj)}jej if feppMa,-,^^) e 5; 

(2) T^(^) = fit,.p'naj.7l^{qj)}jej if (^,p'p?fl ,■,?,) G 5; 

(3) 7^{q) = 7e(q) = end if ? is final; (4) 7°^{q) = t^^ if {q,i,qk) e 5 and qk E q; and 
(5) 7f{q) = T^(^) otherwise. 

Finally, we replace jUt.T by T if t is not in T. 

In 7g, q records visited states; (1,2) translate the receiving and sending states to branch- 
ing and selection types, respectively; (3) translates the final state to end; and (4) is the 
case of a recursion: since q/^ was visited, £ is dropped and replaced by the type variable. 
The following states that the translations preserve the semantics. 

Proposition 3.2 (translations between CFSMs and local types). If a CFSM M is 

basic, then M w 7{M). If T is a local type, then T w A{T). 



4 Completeness and synthesis 

This section studies the synthesis and sound and complete characterisation of the mul- 
tiparty session types as communicating automata. We first note that basic CFSMs cor- 
respond to the natural generalisation of half-duplex systems [8, § 4.1.1], in which each 
pair of machines linked by two channels, one in each direction, communicates in a 
half-duplex way. In this class, the safety properties of Definition 2.4 are however unde- 
cidable [8, Theorem 36]. We therefore need a stronger (and decidable) property to force 
basic CFSMs to behave as if they were the result of a projection from global types. 

Multiparty compatibility In the two machines case, there exists a sound and com- 
plete condition called compatible [15]. Let us define the isomorphism <P : {C x {1,7} x 
A)* — ^ (C X {!, ?} X A)* such that ^(j?fl) = jla, <PiJla) = pa, <P{e) = e, 0(fi • • • t„) = 
0{ti)- ■ ■<P{t„). <P exchanges a sending action with the corresponding receiving one 
and vice versa. The compatibility of two machines can be immediately defined as 
Tr{Mi) = <P{Tr{M2)) (i.e. the traces of Mi are exactly the set of dual traces of M2). 
The idea of the extension to the multiparty case comes from the observation that from 
the viewpoint of the participant p, the rest of all the machines (Mq)q£g3\p should behave 
as if they were one CFSM which offers compatible traces <P{Tr{M-p)), up to internal 
synchronisations (i.e. 1 -bounded executions). Below we define a way to group CFSMs. 

Definition 4.1 (Definition 37, [8]). Let M, = (g,, C,, ^oi, A, , 5,). The associated CFSM 
of S= {Mi,..,M„) is M ^ {Q,C,qo,L,8) such that: Q = Qi x Q2X ■■■ x Q„, qo = 
{qoi, ■■■ ,qOn) and 8 is theleastrelationvenfying: {{qi, ...,qi, ...,q„),i,{qi, ...,q'j, ...,q„)) € 

5 if {qi,i,q'i)e8i (I <i<n). 

Below we define a notion of compatibility extended to more than two CFSMs. We 
say that (p is an alternation if (p is an alternation of sending and corresponding receive 
actions (i.e. the action pqla is immediately followed by pq?fl). 

Definition 4.2 (multiparty compatible system). A system S — {M\,..,M„) (n > 2) is 

multiparty compatible if for any 1 -bounded reachable stable state s G RS\{S), for any 
sequence of actions t\- --ik from s in Mi, there is a sequence of transitions (p\-t\-(p2-t2- 
(P3' ■ '(Ph'tk from.? in a CFSM corresponding to S^' = (Mi,..,M,_i,M;+i,..,M„) where 
(Pj is either empty or an alternation, £j = <P{act{tj)) and / ^ act{(pj) for I < j <k (i.e. (pj 
does not contain actions to or from channel /). 

The above definition states that for each M,, the rest of machines S^' can produce the 
compatible (dual) actions by executing alternations in S^'. FromM,-, these intermediate 
alternations can be seen as non-observable internal actions. 

Example 4.1 (multiparty compatibility). As an example, we can test the multiparty 
compatibility property on the commit example of Figure 1 . We only detail here how to 
check the compatibility from the point of view of C. To check the compatibility for the 
actions act{ti -ti) = BC?sig-AC!commit, the only possible 1-bound (i.e. alternating) 
execution is AB!act • AZ??act, and ^{act{t\)) — BO.sig sent from B and <P{act{t2)) = 
ACIcommit sent from A. To check the compatibility for the actions act{tj, ■ f4) = BC?save • 
AC?finish, the 1-bound execution is AB!quit • AB?quit, and <P(act{tj,)) ~ BClsave from 
B and <P{act{t4)) = AC!finish from A. 



Remark 4. 1. In Definition 4.2, we require to check the compatibility from any 1 -bounded 
reachable stable state in the case one branch is selected by different senders. Consider 
the following machines: 



BA?a ^-^ CA?c ,^-> „ ,^-^SAIa,^;^ ^ ^^CA\c, 




BA?a 



A'-CO^ 




BA?b 



In A, B and C, each action in each machine has its dual but they do not satisfy multiparty 
compatibility. For example, if BA!a-BA?ais executed, CA !d does not have a dual action 
(hence they do not satisfy the safety properties). On the other hand, the machines A', B 
and C satisfy the multiparty compatibility. 

Theorem 4.1. Assume S ~ (Mp)pgj> is basic and multiparty compatible. Then S satisfies 
the three safety properties in Definition 2.4. Further, if there exists at least one Mq which 
includes a final state, then S satisfies the liveness property. 

Proof. We first prove that any basic S which satisfies multiparty compatible is stable 
(S is stable, if, for all s E RS{S), there exists an execution -^ such that s-^s' and s' is 
stable, and there is a 1 -bounded execution sq-^s', i.e. any trace can be translated into a 
1 -bounded execution after some appropriate executions). The proof is non-trivial using 
a detailed analysis of causal relations to translate into a 1 -bounded executions. Then 
the orphan message- and the reception error-freedom are its corollary. The deadlock- 
freedom is proved by the stable property and multiparty compatibility. Liveness is a 
consequence of the orphan message- and deadlock-freedom. See Appendix B. D 

Proposition 4.1. If all the CFSMs M-p (p G 7) are basic, there is an algorithm to check 
whether {Mp)^^^ is multiparty compatible. 

Proof. The algorithm to check Mp's compatibility with S^^ is defined using the set 
RSi{S) of reachable states using 1-bounded executions. Note that the set RSi{S) is 
decidable [8, Remark 19]. We start from q = qo and the initial configuration s = sq. 
Suppose that, from q, we have the transitions f; ~ {q,qplai,q'-) E 8p. We then construct 
RSi (S) (without executing p) until it includes s' such that {s'^-^Sj}j^j where act{t'-) = 
qp?fl, and / C 7. If there exists no such s' , it returns false and terminates. The case 
where, from q, we have receiving transitions t = {q, qp7ai,q'f) is dual. If it does not fail, 
we continue to check from state q'- and configuration si for each / e /. We repeat this 
procedure until we visit all q E Qp. Then repeat for the other machines p' such that 
p' e J'\ p. Then we repeat this procedure for all stable s e RSi (S). D 

Synthesis Below we state the lemma which will be crucial for the proof of the synthesis 
and completeness. The lemma comes from the intuition that the transitions of multiparty 
compatible systems are always permutations of one-bounded executions as it is the case 
in multiparty session types. See Appendix B.2 for the proof. 

Lemma 4.1 (1-buffer equivalence). Suppose Si and S2 are two basic and multiparty 
compatible communicating systems such that Si «i ^2, then Si ~ S2. 

Theorem 4.2 (synthesis). Suppose S is a basic system and multiparty compatible. Then 
there is an algorithm which successfully builds well-formed G such that S p^ G if such 
G exists, and otherwise terminates. 
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Proof. We assume S = (Mp)pgg3. The algorithm starts from the initial states of all ma- 
chines (^P'o,--,?''"o)- We take a pair of the initial states which is a sending state q^ and 
a receiving state q^ from p to q. We note that by directness, if there are more than two 
pairs, the participants in two pairs are disjoint, and by [G4] in Definition 3.2, the order 
does not matter. We apply the algorithm with the invariant that all buffers are empty and 
that we repeatedly pick up one pair such that q^ (sending state) and (^q (receiving state). 
We define G{qi,...,q„) where iq-p,qqE {^i, ...,(7„}) as follows: 

- if (qi,...,qn) has already been examined and if all participants have been involved 
since then (or the ones that have not are in their final state), we set G{qi,...,qn) to 
be t^j g^. Otherwise, we select a pair sender/receiver from two participants that 
have not been involved (and are not final) and go to the next step; 

- otherwise, in q^, from machine p, we know that all the transitions are sending ac- 
tions towards p' (by directedness), i.e. of the form {qp,pq\ai,qi) G 5p for / G /. 

• we check that machine q is in a receiving state (j'q such that {qq,pq!aj,q'j) e 5p/ 
with j E J and I CJ. 

• we set ;Ut^,_..._^„.p ^ q: {ai.G{qi,...,q^ ^ ?;,•••, ?q ^ q'i,-,qn)}iei (we re- 
place q-p and q^ by ^, and q'-, respectively) and continue by recursive calls. 

• if all sending states in ^i,...,^„ become final, then we set G{qi, ...,(7„) — end. 

- we erase unnecessary jUt if t ^ G and check G satisfies Definition 3.1. 

Since the algorithm only explores 1 -bounded executions, the reconstructed G satisfies 
G «! S. By Theorem 3.1, we know that G w ({G \ pIpG^;?). Hence, by Proposition 3.2, 
we have G w 5' where 5' is the communicating system translated from the projected 
local types {G \ plpey of G. By Lemma 4.1, 5 « 5' and therefore 5 « G. D 

The algorithm can generate the global type in Example 3.1 from CFSMs in Figure 1 and 
the global type B -^ k{a : C ^^ A : {c : en6,d : end},/? : C ^ A : {c : en6,d : end}} from 
A', B and C in Remark 4.1. Note that B -^ A{a : C ^ A : {c : end},/? : C ^ A : {<i : end}} 
generated by A, B and C in Remark 4.1 is not projectable by Definition 3.1, hence it is 
not well-formed. 

By Theorems 3.1, 4.1 and 4.2, and Proposition 3.2, we can now conclude: 

Theorem 4.3 (soundness and completeness in CMSA). Suppose S is basic and mul- 
tiparty compatible. Then there exists G such that S ~ G. Conversely, ifG is well-formed, 
then there exists S which satisfies the three safety properties in Definition 2.4 and S ~ G. 

5 Conclusion and related work 

This paper investigated the sound and complete characterisation of multiparty session 
types into CFSMs and developed a decidable synthesis algorithm from basic CFSMs. 
The main tool we used is a new extension to multiparty interactions of the duality 
condition for binary session types, called multiparty compatibility. The basic condition 
(coming from the binary session types) and the multiparty compatibility property are a 
necessary and sufficient condition to obtain safe global types. Our aim is to offer a dual- 
ity notion which would be applicable to extend other theoretical foundations such as the 
Curry-Howard correspondence with linear logics [6, 26] to multiparty communications. 
Basic multiparty compatible CFSMs also define one of the few non-trivial decidable 
subclass of CFSMs which satisfy deadlock-freedom. The methods proposed here are 
palatable to a wide range of applications based on choreography protocol models and 
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more widely, finite state machines. We are currently working on two applications based 
on the theory developed in this paper: the Testable Architecture [23] which enables the 
communication structure of the implementation to be inferred and to be tested against 
the choreography; and dynamic monitoring for a large scale cyberinfrastructure in [22] 
where a central controller can check that distributed update paths for monitor specifica- 
tions (which form FSMs projected from a global specification) are safe by synthesis. 

Our previous work [11] presented the first translation from global and local types 
into CFSMs. It only analysed the properties of the automata resulting from such a trans- 
lation. The complete characterisation of global types independently from the projected 
local types was left open, as was synthesis. This present paper closes this open prob- 
lem. There are a large number of paper that can be found in the literature about the 
synthesis of CFSMs. See [20] for a summary of recent results. The main distinction 
with CFSM synthesis is, apart from the formal setting (i.e. types), about the kind of the 
target specifications to be generated (global types in our case). Not only our synthesis 
is concerned about trace properties (languages) like the standard synthesis of CFSMs 
(the problem of the closed synthesis of CFSMs is usually defined as the construction 
from a regular language L of a machine satisfying certain conditions related to buffer 
boundedness, deadlock-freedom and words swapping), but we also generate concrete 
syntax or choreography descriptions as types of programs or software. Hence they are 
directly applicable to programming languages and can be straightforwardly integrated 
into the existing frameworks that are based on session types. 

Within the context of multiparty session types, [19] first studied the reconstruction 
of a global type from its projected local types up to asynchronous subtyping and [ 1 8] re- 
cently offers a typing system to synthesise global types from local types. Our synthesis 
based on CFSMs is more general since CFSMs do not depend on the syntax. For exam- 
ple, [18, 19] cannot treat the synthesis for A', B and C in Remark 4.1. These works also 
do not study the completeness (i.e. they build a global type from a set of projected lo- 
cal types (up to subtyping), and do not investigate necessary and sufficient conditions to 
build a well-formed global type). A difficulty of the completeness result is that it is gen- 
erally unknown if the global type constructed by the synthesis can simulate executions 
with arbitrary buffer bounds since the synthesis only directly looks at 1 -bounded exe- 
cutions. In this paper, we proved Lemma 4. 1 and bridged this gap towards the complete 
characterisation. Recent work by [2, 7] focus on proving the semantic correspondence 
between global and local descriptions (see [11] for more detailed comparison), but no 
synthesis algorithm is studied. 
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A Appendix for Section 3 

A.l Proof of Theorem 3.1 

Local Types Subtyping In order to relate global and local types, we define in Figure 2 
a subtyping relation -< on local types. Local type T' is a super type of local type T , 
written T ^ T', if it offers more receive transitions. We note that 7) -< U,g/7]. 

yieI,Ti^Tl ICJ \Jia,Ti<Tl T-<T' 



p!{a,-.7;},g/^p!{a,.7;'},e/ p?{a,-.7;},e/^p?{aj.rj}jey t^t ilt.T^iit.T' 

Fig. 2. Subtyping between local types 

This subtyping relation can be extended to configurations in the following way: 
(f ; vv) < (f'; w') if w^w' and Vp G T, Tp -< T^. 

The main properties of subtyping is that it preserves traces, i.e. if i -< s' , then s « s' . 
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Extension of projection In order to prove Theorem 3.1, we extend the definition of 
projection to global intermediate states. 

We represent the projected configuration [G] of a global type G as a configuration 
{G f pjpgy, |[G]{gi , where the content of the buffers |[G]{g} , is given by: 

[p^p': «rG/]{^.^^,}^^,^^ = I<^il{'v<i,'}q<i'ep["'pp/=M.pp,-o,] 
[p^p': «;.G;]{„.^^,}^^,^^ = IGil{^,/},,'e3^ 

and where the projection algorithm \ q is extended by: 

> -f ni f Jp?{fli.Gi fqjiG/ q = p' 

\Gj I q otherwise 

This extended projection allows us to match global type and projected local type 
transitions step by step. 

Theorem 3.1 We prove Theorem 3.1 by combining the local type subtyping and ex- 
tended projection into a step equivalence lemma. Theorem 3.1 is a simple consequence 
of Lemma A.l. 

Lemma A.l (Step equivalence). For all global type G and local configuration s, if 
[GJ -< s, then we have G-^G' <^ s-^s' and [G'J -< s' . 

Proof. The proof is by induction on the possible global and local transitions. 

Correctness By induction on the structure of each reduction G — > G', we prove that 

[G] — > s with [G'] -< s. We use the fact that if i ^ s' , then s ~ s' , to consider only 
matching transition for [G]. 

[GR 1 ] where G = p ^ p' : {fli.G,},G/ PP '> G' = p -^ p' : j {fli.G,},G/. The projection of G 
is [G] == ST = {rqlqeo', {wqq'lqq'ey The local types are: Tp = G t p = p'!{ai.Gi \ p};g/ 
and Tp/ =: G f p' = p?{fl;.G; \ p'},e/ and (for q ^ {p,p'}) Tq = U,e/G,- \ q. Rule 

[LRl] allows p'!{fl;.G,- \ p},G/ — -^ Gj \ p. We therefore have sj — -^ {T^qlqeO'^ {^qq'lqq'e^' 
with r' = Tq if q 7^ p, and T' = Gj f p, and with w' , = Wqq/ if qq' 7^ pp', and 



w' I = W™/ -fl;. 
pp PP J 



Since Gj \ q -< Ui^/G; \ q, we have {r^jqey, {w'^^}^^^y -< [G]. 
This corresponds exactly to the projection [G'] of G'. 
[GR2] where G = p -> p' : j {fli.G,};e/ J^E^ G' = Gy. The projection of G is |[G] = st = 
{rqlqeo', {w'qq'lqq'eO'- The local typcs are: Tp = G f p = G,- f p and Tp/ = G f p' = 
p?{aj.Gy f p'} and (for q ^ {p,p'}) Tq — Gj \ q. We also know that Wpp/ is of the 
form w' ; -fl,. 

Using [LR2], {Tqlq^y, {Wqq/ }qq/eg,-E£^^ {G/ [ qlqey, {Wqq/jqq'ey with w'^^, = Wqq/ 

if qq' 7^ pp'. The result of the transition is the same as the projection [G'] of G'. 
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[GR3] where G = pit.G'^G". 

By hypothesis, we know that G' [t/jUt. G']-^G". By induction, we know that [G' [t/jUt.G']] 

St = {Tqlqey, {Wqq'lqq/eO'Can do a reduction A to [G"l == ^r = {7;(}qGa', {Wqq/jqq'ey 

Projection is homomorphic for recursion, hence G' [jUt.G'/t] f q = G' f q[jUt.G' \ q/t] . 
We use [LR4] to conclude. 
[GR4] where p ^ q: {fli.G,},G/ — > p ^ q: {fl,-.G;},G/ and p,q ^ subj(£). By induction, 

we know that, V/ G /, [GijA'lG^}. We need to prove that [p -> q: {fl;.G,},G/] A 
[p ^ q: {a,.G'},G/]. The projections for all participants are identical, except for 
q' = subj{£), whose projection is (computed by merging) LJ,g/G,- |" q'. Since V/ € 
t, [G,]-^[G'], we know that all the G, \ q' have at least the prefix corresponding to 
£, and that, using either [LRl] or [LR2], the continuations are the G'- f q'. We can 
then conclude that the Uie/G; \ q'A U,g/ G'- \ q'. 

[GR5] where p ~-> q: j {fl,-.G,},G/ -> p -> q: j {ai.G'jjisi and q (^ SMfoj(^) with G- = G/ 
for / 7^ y. By induction, we know that, IGj]— >[G']. We need to prove that [p ~-> 

q: j {fli.G,},G/] — > [p ^ q: {j.Ui}Qii S /]. The projections for all participants are 
identical, except for q' ~ subj(£), whose projection is Gj \ q'. By induction, Gj \ 
q' — > G'j \ q', which allows us to conclude. 

Completeness We prove by induction on [G] — 

{Tplpey, {wqq'lqq'GO'-^ {Tp'lpey, {w^^q, jqq'eo' that G -> G' with IG'J -< {Tp'Ipey, {w'^q,}qq/ea'- 

[LRl] There is Tp = G f p = p'!{a,.G, \ p},G/. By definition of projection, G has p -^ 
q: {fl;.G,},g/ as subterm, possibly several times (by mergeability). By definition of 
projection, we note that no action in G can involve p before any of the occurrences 
of p — > q: {fl;.G,},G/. Therefore we can apply as many times as needed [GR4] and 
[GR5], and use [GRl] to reduce to p -^ q: Oj.Gj. The projection of the resulting 
global type corresponds to a subtype to the result of [LRl]. 

[LR2] There is Tp = G \ p~ q?{fl/.Gy \ TpJjeJ- To activate [LR2], there should be a value 
aj in the buffer Wpq. By definition of projection, G has therefore p -^ q: j {flj.Gj},G/ 
as subterm, possibly several times (by mergeability). By definition of projection, no 
action in G can involve p before any of the occurrences of p -^ q: j {a, .G,},g/. We 
can apply as many times as needed [GR4] and [GR5] and use [GR2] to reduce to 
Gj. The projection of the resulting global type corresponds to the result of [LR2]. 

[LR3] where T — fit.T'. Projection is homomorphic with respect to recursion. Therefore 
G is of the same form. We can use [GR3] and induction to conclude. 

A.2 Local types and CFSMs 

Proposition 3.1 For the determinism, we note that all a, in p?{fl,.T;}jg/ and p!{fl,.7]},g/ 
are distinct. Directdness is by the syntax of branching and selection types. Finally, for 
non-mixed states, we can check a state is either sending or receiving state as one state 
represents either branching and selection type. 

Proposition 3.2 The first clause is by the induction of M using the translation of T. The 
second clause is by the induction of T using the translation of A. Both are mechanical. 
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B Appendix for Section 4 

We say that a configuration s with fi and f2 satisfies the one-step diamond property if, 
assuming s-^si and s-^S2 with f i 7^ f2, there exists s' such that ii -^i' and S2'^s' where 
act{ti) ~ act{t'2) and act{t2) = acf(fj). We use the following lemma to permute the two 
actions. 

Lemma B.l (diamond property in basic machines). Suppose S = (Mp)pgy and S is 

basic. Assume s G RS{S) and s-^si and s-^S2. 

1. If ti and f2 are both sending actions such that act{t\) = piqi!ai and act{t2) = 
P2q2!fl2, we have either: 

(a) pi — p2 and qi = q2 and a\ — 02 with s\ — S2; 

(b) pi = p2 and qi = q2 and a\ 7^ 02; 

(c) pi ^ p2 and qi ^ q2 with ai ^ 02, and s with fi and t2 satisfies the diamond 
property. 

2. If t\ and t2 are both receiving actions such that act{t\) = piqi?fli and act{t2) = 
P2q2?fl2. we have either: 

(a) pi = p2 and qi == q2 and fli = 02 with si — S2; 

(b) pi 7^ p2 and qi 7^ q2 with si 7^ S2, and s with fi and f2 satisfies the diamond 
property. 

3. Ifti is a receiving action and t2 is a sending action such that act{ti) — piqi?fli and 
act{t2) = P2q2'a2, we have either: 

(a) qi = q2 and pi 7^ p2; or 

(b) pi = p2 and qi 7^ q2; or 

(c) pi 7^ p2 and qi 7^ q2 

vv/f/z ii 7^ .52, flw^ ■* vv/f/z fi one/ f2 satisfies the diamond property. 

Proof. For (1), there is no case such that pi 7^ p2 and qi = q2 since S is directed. Then 
if pi = p2 and qi == q2 and fli — a2, then ^i = S2 by the determinism. For (2), there is no 
case such that pi 7^ P2 and qi = q2 since S is directed. Also there is no case such that 
pi = p2 and qi = q2 and ai 7^ 02 since the communication between the same peer is 
done via an FIFO queue. For (3), there is no case such that qi — q2 and pi — p2 because 
of no-mixed state. D 

The following definition aims to explicitly describe the causality relation between 
the actions. These are useful to identify the permutable actions. 

Definition B.l (causality). 

1. Suppose SQ-^s and (p = (pQ-ti-(pi ■t2- (p2- We write fi <if2 (ti depends on fi) if either 
(1) fi = pq!fl and fi — pq?fl for some p and q or (2) subj{ti) = subj{t2). 

2. We say (p — t{)-t\ ■t2-- -tn^s the causal chain if sq^s' and (p C (p' with, for all 
< ^ < n — 1, there exists / such that / > k and f^ <if,-. We call (p the maximum 
causal chain if there is no causal chain (p" such that (p C (p" C cp' . 

3. Suppose sq-^s and (p = (pQ-ti ■ (pi ■t2- (P2- We write ti^tj if there is no causal chain 
from f; to tj with / < j. 

By Lemma B.l, we have: 

Lemma B.2 (maximum causality). Suppose S is basic and s G RS{S). Then for all 
s-^s', we have s '^"''^ > s' and s '^ ''^"•> s' where ^„,, (p^ are the maximum causal chain. 
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Lemma B.3 (output-input dependency). Suppose S is basic. Then there is no causal 
chain tQ-t\-t2- ■ -tn such that act(to) — pq!a and act{t„) = pq'?^ with a^b and act{ti) ^ 
pqlcfor any c (I <i<n—l). 

Proof. We use the following definition. The causal chain ^ = fo • f i • • • f„ is called 

1. 0-causal chain if for all !</<«, f; — pq;!fli with some q; and a,-. 

2. I-causal chain if for all !</<«, f; ~ q,p?fl,' with some q,- and a,-. 

Then any single causal chain 9 = fo • fi • • • f„ can be decomposed into alternating O and I 
causal chains where /; = -tio- ■ -tin. with either (l)acf(fj„J =pq!fl and acf (f,+io) ~c[^lb; 
(2) act{ti„.) = pq?fl and acf(f;+io) = qp'!^; or (3) act{ti„.) = pq!a and acf (f,+io) = pq?a. 
In the case of (1,2), we note subj{tif,) — subj{ti^ii^) for all < /z < «,- and < A: < «,+i. 
Now assume S is basic and there is a sequence (p — to-ti---t„ such that act{to) = 
poqo!flo and act{t„) — p„q„7an with po = q„, flo 7^ «« and act{ti) ^ poqo?a for any a 
(1 < / < n — 1). We prove (p is not a causal chain by the induction of the length of (p. 

Case n = 1. By definition, fojjfn- 

Case n > 1. If ^ is a causal chain, there is a decomposition into O and I causal chains 
such that (p — Jq -ti- ■ -tm where f, = f,o • • • f,n,. By the condition f, 7^ poqo?fl for any a 
(!</<«— 1), the case (3) above is excluded. Hence we have subj{tih) ~ subj{ti^ii^) 
for all < /z < n, and < A: < n,+i . This implies 

1. po = pij with / even (in the O causal chains) 

2. qij = qo with / odd (in the I causal chains); and 

3. p,„, = q,+io with / even. 

This implies po = qo which contradicts the definition of the channels of CFSMs (i.e. 
Po 7^ qo if Poqo is a channel). Hence there is no causal chain from act(to) — poqo!flo to 
act{tn) = poqo?fln if act{ti) ^ poqo?fl and oo ^ fl„. 

Lemma B.4 (input availablity). Assume S — (Mp)p£j> is basic and multiparty compat- 
ible. Then for all s € RS{S), ifs^^^s', then s'-^S2^^^Si. 

Proof. We use Lemma B.l and Lemma B.2. Suppose s E RS{S) and s^s' such that 
act{t) = pp'Ifl. By contradiction, assume there is no (p' such that s'-^^s" with act{t) = 
pp'7a. Then there should be some input state {q, qp'7b, q') e 5p/ where q °^ > q"-^'^ ^ > q" 
where b^b' (hence (( 7^ ((' by determinism), i.e. qp'?fe leads to an incompatible path 
with one lead to the action qp'?fl. 

Suppose s' -^-^s" with tu = (q,qp'1b,q'). Then ^0 should include the correspond- 
ing output action act{tho) = qp'!^. By Lemma B.2, without loss of generality, we as- 
sume (po ■ thi is the maximum causal chain to tbi- Let us write (po = fo <ifi <i • • • <if„. By 
Lemma B.l, we can set f^„ = t„. Note that for all /, act(ti) 7^ pp'?a' by the assumption: 
since if act{ti) 7^ pp'?fl, then it contradicts the assumption such that t does not have a 
corresponding input; and if act{ti) = -p-p'la' with a ^ a' then, by directedness of S, it 
contradicts to the assumption that f/,, is the first input which leads to the incompatible 
path. Then there are three cases. 

1. there is a chain fromf to f„ — tho, i-C- there exists < / < n such that f <f,<- • •<?„. 

2. there is no direct chain from t to f„ but there is a chain to tbi, i.e. there exists < / < n 
such that t<iti<i---<itbi. 
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3. there is no chain from t to either f„ or ti,i- 

Case 1: By the assumption, there is no tj such that act{tj) = pp'?fl'. Hence f; = pp'Ma' 

for some a' and p". 

Case 1-1: there is no input in tj in f <if,<i • • • <if„_i. Then p = q, i.e. qp'lb = pp'lb. 

Then by the definition of s —^ s' (i.e. by FIFO semantics at each channel), pp'lb cannot 
perform before pp'?a. This case contradicts to the assumption pp'?fl is not available. 

Case 1-2: there is an input tj in f <?,- < • • • <if„_i. By f <if,-, subj{act{ti)) — p. Hence we 
have either act{ti) = pq,!fl; with q 7^ q,- or act{ti) = q,p?fl,'. 

Case 1-2-1: act{ti) — pq,!fl,. Then there is a path q — '-^ — '—^ q' in Mp. Hence by the 
multiparty compatibility, there should be the traces pq?fl • (p ■ pq,?a,' with (p alternation 
from the machine with respect to {Mr}rGy\p. This contradicts to the assumption that 
pp'?a is not available. 

Case 1-2-2: act{ti) — q,p?fl,. Similarly with the case Case 1-2-1, by the multiparty 
compatibility, there should be the traces pq?fl • (p ■ pq,?a, with (p alternation from the 
machine with respect to {M^^^^-p.^. Hence it contradicts to the assumption. 

Case 2: Assume the chain such that f < f; o • • • o f/,,- and ?(!?„. As the same reasoning as 
Case 1, p 7^ q and f,- is either pq,!a,- or q,p?fl,-. Then we use the multiparty compatibility. 

Case 3: Suppose there exists ^04 e RS{S) such that so4-^-^-^-^ and so4^-^-^ 
where t^ leads to f^,, and t'^ leads to t. 

Case 3-1: Suppose tn and t'^ are both sending actions. By Lemma B.l, there are three 

cases. 

(a) This case does not satisfy the assumption since sy ~ S2. 

(b) We set act{t4) ~ p4q4!(i and act(t'^) = p4q4!(i' with d 7^ d' . In this case, we cannot 
execute both t and ttt- Hence there is no possible way to execute ffe,-. This contradicts to 
the assumption. 

(c) Since this case satisfy the diamond property, we apply the same routine from s' such 
that soi-^^s' and SQi-^^s' and act{t4) = -^ and actit'^) = ^ where the length of 
the sequences to f and tht is reduced (hence this case is eventually matched with other 

cases). 

Case 3-2: Suppose f4 and t'^ are both sending actions. By Lemma B.l, there are two 
cases. The case (a) is as the same as the case 3-l-(b) and the case (b) is as the same as 
the case 3-l-(c). 

Case 3-3: Suppose f4 is a sending action and t'^ is receiving action. This case is as the 
same as the case 3-l-(c) and This concludes the proof. D 

We can extend the above lemma. The proof is similar. 

Lemma B.5 (general input availablity). Assume S — (Mp)pgg3 is basic and multiparty 
compatible. Then for all s G RS{S), ifs^^^si^s' with pp'la ^ (p, then s'^S2^^^s^. 

B.l Proofs of Theorem 4.1 

We first prove the following stable property. 

Proposition B.l (stable property). Assume S — (Mp)p£g3 is basic and multiparty com- 
patible. Then S satisfies the stable property, i.e. if, for all s G RS{S), there exists an exe- 
cution -^ such that s-^s' and s' is stable, and there is a 1 -bounded execution so^^s' . 
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Proof. We proceed by the induction of the total number of messages (sending actions) 
which should be closed by the corresponding received actions. Once all messages are 
closed, we can obtain 1 -bound execution. 

Suppose si,S2 are the states such that Si)-^si^S2-^s' where (p\ is a 1 -bounded 
execution and s\^S2 is the first transition which is not followed by the corresponding 
received action. Since (p\ is a 1 -bounded execution, there is s^ such that S2-^st, where fi 
and ?2 are both sending actions. Then by the definition of the compatibility and Lemma 
B.4, we have 

si^S2^^s'^ (B.l) 

where ^ is an alternation execution and t\ — pq?fl. Assume ^2 is a minimum execution 
which leads to t\. We need to show 

Then we can apply the same routine for f2 to close it by the corresponding receiving 
action t^. Applying this to the next sending state one by one, we can reach an 1 -bounded 
execution. Let (p2 — t4- ^2- Then by the definition of multiparty compatibility, 001(14) = 
p'q'Ic and p' 7^ p and q' 7^ q. Hence by Lemma B.l(l), there exists the execution such 
that 

Si — >— > — >—> ^3 — > S4 

Let ^2 = ^4 ■ ^2 where ti = p'q'?c. Then this time, by Lemma B.l (2), we have: 

U ti t, <P2 T\ I t2 
Si —>—>—> >—^ S^ — > ^4 

where ^1 • ^4 • f4 is a 1 -bounded execution. Applying this permutation repeatedly, we 
have _ 

Si >—> — > S^ — > S4 

where (pj is an 1 -bounded execution. We apply the same routine for f2 and conclude 

(p' . . 

si — > s for some stable s . D 

From the stable property, the orphan message- and the reception error-freedom 
are immediate. Also the liveness is a corollary by the orphan message- and deadlock- 
freedom. Hence we only prove the deadlock-freedom assuming the stable property. 

Deadlock-freedom Assume S is basic and satisfy the multiparty session compatibility. 
By the above lemma, S satisfies the stable property. Hence we only have to check for 
all s G RSi (S), s is not dead-lock. Suppose by the contradiction, s contains the receiving 
states ti,...,t„. Then by the multiparty compatibility, there exists 1 -bounded execution 

(p such that s — >-^ s'. Hence s' -^ s" and s" is stable. Applying this routine to the rest 
of receiving states f2, ...,?«, we conclude the proof. D 

B.l Proof for Lemma 4.1 

Proof. We prove by induction that Vn,5i «„ ^2 => Si «„+i ^2. Then the lemma 
follows. 

We assume Si «„ ^2 and then prove, by induction on the length of any execution (p 
that uses less than n buffer space in Si , that (p is accepted by ^2. If the length | ^ | < n + 1 , 
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then the buffer usage of (p for Si cannot exceed n, therefore ^2 can reaHse (p since 

Assume that a trace (p in Si has length \(p\ =k+l, that (p is {n + l )-bound, and that 
any trace strictly shorter than (p or using less buffer space is accepted by ^2. 

We denote the last action of (p as i. We name £o the last unmatched send transition 
pq!fl of (p that is not £. We can therefore write (p as (pQ£o(pii, with (pi minimal. I.e. there 
is no permutation such that (Pq£(p'q£(j. In Si, we have 

ii : So — > — > — > si —> s (B.2) 

By Lemma B.5, we have a trace (p2 such that: 

5i : io — ^— > — ^ ^51 — >—^ ij (B.3) 



Case <p2 = e. Hence 



5i : so — > — > — > si — > Si and si -^ s (B.4) 



Let £ = piqi \b. Then by Lemma B.l (3), si — >— > ,?" as required. 
Case ^ = ^1 • (P2- 

1. If i? = piqi!/7 and£i =p2q2?c, then by Lemma B.l (3), si — >— >i". Hence we apply 
the induction on ^j- 

2. If £ ~ piqi lb and i*! = p2q2!c, then by directedness, we have three cases: 

(a) pi y^ p2 and qi 7^ q2. By Lemma B.l (1), we have 

s^%s\s'2^s[ (B.5) 

Hence we conclude by the induction on ^2- 

(b) pi = p2 and qi = q2 and b^c. 

f. (Pi Tfi 
In this case, by Lemma B.5, there exists ^3 such that si — > — > — >. Hence this 

case is subsumed into (a) or (c) below. 

(c) pi = p2 and qi = q2 and b = c. 

Since £0 and £ is not permutable, there is the causality such that to<iti<- ■ ■<!„< 
■ ■ ■ <tn+m with act{t{)) — £0, act{t„) — £ and act{tn+m) = k)- We note that since 
Zo is the first outstanding output, by multiparty compatibility, tt (I < i < n — Y) 
does not include piqi?fl. Then by Lemma B.3, this case does not exist. 

Applying Case (a), we can build in Si a sequence of transitions that allows £ using 
strictly less buffer space as: 

Si : SQ — ^— >—>—>— >^ (B.6) 

where ^3 is the result of the combination of (pi and (pi using commutation. 
By the assumption {Si «„ ^2), ^2 can simulate this sequence as: 

52 : SQ — ^— ^->— ^— >^ (B.7) 
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G = def xq = xi I X2 

Xi +X5 = X3 

X3 = A ^> B : data ; X4 
X4 = X5+X6 
X5 = A ^^ B : eof;x-i 
X2 = A ^ C : log ;xs 
X7 I xg = X9 

X9 = B — > C : save ;xio 
xio = end in xo 

Data transfer example 
Fig. 3. Generalised global type and graph representation 

All the commutation steps used in ^i are also valid in ^2 since they are solely based on 
causalities of the transition sequences. We therefore can permute (B.7) back to: 




ipo to ipi e 
Si : ^0 — ^— > — >-> 



(B.8) 



It concludes this proof. 

C Generalised Multiparty Session Automata 

As an addition to the main results, we extend the results obtained on classical multiparty 
session types to tackle generalised multiparty session types [11], an extension with 
new features such as flexible fork, choice, merge and join operations for precise flow 
specification. It strictly subsumes classical MPST. 

C.l Generalised global and local types 

In this subsection, we recall definitions from [11]. 

Generalised global types We first define generalised global types. The syntax is de- 
fined below. 



G : 


= def G in X 


Global type 






G :: 


= X = p ^ p' 


: a ;x' Messages 


x = end 


End 




X = x' 1 x" 


Fork 


x = x'+x" 


Choice 




X 1 x' = x" 


Join 


x + x' = x" 


Merge 



A global type G — def G in xq describes an interaction between a fixed number of 
participants. We explain each of the constructs by example, in Figure 3, alongside the 
coiTesponding graphical representation inspired by the BPMN 2.0 business processing 
language. This example features three participants, with A sending data to B while C 
concurrently records a log entry of the transmission. 

The prescribed interaction starts from xq, which we call the initial state (in green in 
the graphical representation), and proceeds according to the transitions specified in G 
(the diamond or boxes operators in the picture). The state variables x in G (the edges 
in the graph) represent the successive distributed states of the interaction. Transitions 
can be message exchanges of the form X3 = A ^ B : data ;X4 where this transition 
specifies that A can go from X3 to the continuation X4 by sending message data, while 
B goes from X3 to X4 by receiving it. In the graph, message exchanges are represented 
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by boxes with exactly one incoming and one outgoing edges. X4 = X5 +X6 represents 
the choice between continuing with X5 or xe and xo = xi | X2 represents forking the 
interactions, allowing the interleaving of actions at Xi and X2. These forking threads 
are eventually collected by joining construct of the form X7 | xg = X9. Similarly choices 
(i.e. mutually exclusive paths) are closed by merging construct xi +X5 = X3, where 
they share a continuation. Forks, choices, joins and merges are represented by diamond 
ternary operators in the graphical notation. Fork and choice have one input and two 
outputs, join and merge have two inputs and one output. Fork and join use the diamond 
operator with the | symbol, while choice and merge use a diamond with the + symbol. 
The xio — end transition is represented by a red circle. Note that the two representations 
(syntax and graph) are equivalent. 

The motivation behind this choice of syntax is to support general control flows, as 
classical global type syntax tree, even with added operators fork | and choice + [3, 7, 
10, 17], is limited to series-parallel control flow graphs. 

Generalised local types As for global types, a local type T follows a shape of a state 
machine-like definition: local types are of the form def T in xq. The different actions 
include send (pla is the action of sending to p a message a), receive (p?fl is the action 
of receiving from p a message a), fork, internal choice, external choice, join, merge, 
indirection and end. Note that merge is used for both internal and external choices. 
Similarly to global types, an obvious graphical representation exists. 



X = x' © x" internal choice 
X = x' & x" external choice 
X + x' = x" merge 
X = x' indirection 



The local types are obtained from the global type by successive projection to each 
participant. We define the projection of a well-formed global type G to the local type 
of participant p (written G \ p). The projection is given in Appendix D because it is 
straightforward: for example, x = p ^ q : a ;x' is projected to the output x = p'la.x' 
from p's viewpoint and an input x = p?fl.x' from q's viewpoint; otherwise it creates 
an indirection link from x to x'. Choice x = x' + x" is projected to the internal choice 
X = x' ®x" if p is the unique participant deciding on which branch to choose; otherwise 
the projection gives an external choice x = x'&x" ([11] gives the definition). Forks, joins 
and merges are kept identical. As an example. Figure 6 features on the left, in graphical 
notation, the result of the projection to A from the global type G of Figure 3. Its structure 
is exactly the same as the original global type, except for the silent transition xg = xio 
which is silent from the point of view of A and therefore is just elided in the local type. 

C.2 Labelled transitions of generalised global and local types 

It is possible to define a labelled semantics for global and local types by considering the 
type (whether local or global) as a state machine specification in which each participant 
(or the participant, in the case of local type) can evolve, as they would in a CFSMs. As 
forCFSMs and classical multiparty session types, we keep the syntax of labels (£,£\...). 
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T :: 


= def r in X local type 


T :: 


— X = p!a.x' send 




X = p?a.x' receive 




X = x' 1 x" fork 




X 1 x' = x" join 




X = end end 



X— p^p':a ;x'gG Xd— Xlxl vv' /Gw 

Z 'V, ~ [GGRIJ 

def G in X.w '''' ° > clef G in X|Xp^X[x']],iv|vVpp/^H.pp,.fl] 

x=p^p':fl ;x'gG Xp,=X[x] s«^^,&v «^^i=a-«'^^, 
def C in X,vv-5^^def G in X|Xp,^X|x']].w|vVpp/^vv' ,] 

x = p^p' :a;x' e G X, = X[x| q^{p,p'} 

defGinX[X„^X[x'll.M>-^defGinX',w' , 

^3^ ^-j^ — [GGR3J 

def C in X.vv^def G in X',w' 

X„=X X==X' def Gin XIXp^X'l.vvAdef G inX'.w' 

— , ^ ^ — — [GGR4J 

def G in X.iv^def G in X'.w' 

Fig. 4. Global LTS 

We use the following notation to keep track of local states (with parallelism, each 
participant can now execute several transitions concurrently): 

X ::= X; I X I X X[_] ::== _ | X[_] | X | X | X[_] 

LTS for global types We first define, for a global type G — def G in xq, a transition 

system def G in X, vv — > def G in X', w', where X and X' represents a vector recording the 
state of each of the participants X = {Xpjpgy and where w represents the content of the 
communication buffers {wqq'jqq/gy. The states for the global type G — def G in xq are 
equipped with an equivalence relation =^, defined in Appendix D.l, which covers as- 
sociativity, commutativity, forks and joins, choices and merges. Initially, Xq ~ {xolpey 
and vvo = {elqq'eO'- The LTS for global types is defined in Figure 4. 

The semantics of global types, as given by the rules [ggri,2J, follows the intuition 
of communicating systems: if the global type allows, a participant at the right state can 
put a value in a communication buffer and progress to the next state ([ggrij) or, if a 
value can be read, a participant at the right state can consume it and proceed ([ggr2J). 
Rule [GGR3J allows participants that are not concerned by a transition to go there for 
free. Fork, join, choice and merge transitions are passed through silently by rule [ggr4J . 

LTS for local types We define in Figure 5 a transition system T,vv — > T' ,w' , where 
T represents a set of local types {def T in Xpjpgy and w represents the content of 
the communication buffers {wqq'jqq'gy. Initially, To sets all the local types to xq and 
vi>o — {ejqq'eO'- The principle is strictly identical to the LTS for global types, with, 
again, an omitted structural equivalence =j between local states. 

Equivalence between generalised local and global types Given the similarity in prin- 
ciple between the global and local LTSs, and considering that the projection algorithm 
for generalised global types is quasi-homomorphic, we can easily get the trace equiva- 
lence between the local and global semantics. 

Theorem C.l (soundness and completeness of projection). IfT is the projection of 
a global type G to all roles, then G « (T, e). 

C.3 Translations between general local types and CFSMs 

Now that we have proved the equivalence from global to local types, we establish the 
conversion of local types to and from CFSMs. 
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x=p'!a.x'er Tp=def r in X|x] Upp'Svi' 



x=p'?a.x'gf Tp,=deffinX[x| vVpp,gvv .Vpp,=pp' !«■..■; 

pp'?o ~ 

T,vi' S>T[Tp/^def T in X[x']],w[Wpp/<-iv' ,] 

Tp=deffinX X=iX' f [Tp^def f in X'l.wAf'Ai'' 



-[GLRIJ 



- [GLR2J 



-[GLR3J 



Fig. 5. Local LTS 



Translation to CFSMs We first give the already known translation from local types to 
CFSMs [11]. The illustration of that translation on the Data transfer example is given 
on the top-right corner of Figure 6. 

Definition C.l (translation from local types to CFSMs [11]). If T = def f in xq is 

the local type of participant p projected from G, then the corresponding automaton is 
^(T) = {Q,C,qo,A,S) where: 

- 2 is defined as the set of well-formed states X built from the state variables {x,} of 
T. Q is defined up to the equivalence relation =j mentioned in § C.2. 

- C = {pq|p,qeG} 

- g'o = xo 

- X is the set of {a e G} 

- 5 is defined by: 

• (X[x],(pp'!fl),X[x']) e 5 if X = p'la.x' € f. 

• (x[x], (p'p?fl),x[x']) e 5 if X = p'?fl.x' e t. 




AC! log 
ASIdata I ABIdata 




AC! log 
AB!eof I AB!eof 



AC! log 

CFSM 




ABIdata 
General local type for A ab 




ACIiog 



Inferred labelled Petri net 
Fig. 6. Data transfer example: local translations 

Translations from CFSMs The converse translation is not as obvious as local types 
feature explicit forks and joins, while CFSMs only propose choices between interleaved 
sequences. The translation from a CFSM to a local type therefore comes in 3 steps. 
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First, we apply a generic translation from minimised CFSMs to Petri nets [9,21]. 
This translation relies on the polynomial computation of the graph of regions [1], pre- 
serves the trace semantics of the CFSM and, by the minimality of the produced net, 
makes the concurrency explicit. Figure 6 illustrates on the Data transfer example the 
shape of the Petri net that can be produced by such a generic translation. Note that the 
produced Petri net is always safe and free choice. 

The second step of the conversion is to take the Petri net with labelled transitions 
and enrich it with new silent transitions and new places so that it can be translated into 
local types. Notably, it should have only one initial marked place, one final place and all 
labelled transitions should have exactly one incoming and one outgoing arc. Then, we 
constrain all transitions to be linked with no more than 3 arcs (2 incoming and 1 outgo- 
ing for a join transition, or 1 incoming and 2 outgoing for a fork transition, 1 incoming 
and 1 outgoing for all the other transitions). Places should have no more that 2 incoming 
and 2 outgoing arcs: if there are two incoming (merge), then the transitions they come 
from should only have one incoming arc each; if there are 2 outgoing (choice), then the 
transitions they lead to should have only one outgoing arc each. 

In the end, the translation to local type is simple, as each place corresponds to a 
state variable x, and the different local type transitions can be simply identified. For the 
lightness of the presentation, instead of defining formally this last step, we describe the 
converse translation. From it, it is possible to infer the local type generation. 

Definition C.2 (Petri net representation). Given a local type T = def T in xq, we 
define the Petri net P(T) by: 

- Each state variable x e T is a place in P(T). 

- All the places are initially empty, except for one token in xq. 

- Transitions in T are translated as follows: 

• If X = p!a.x' G T then there is a transition labelled in P(T), whose unique input 
arc comes from x and whose unique output arc goes to x'. 

• If X = p?a.x' e T then their is a transition in P(T), whose unique input arc 
comes from x and whose unique output arc goes to x'. 

• If xi = X2 I X3 e r then there is a transition in P(T), whose unique input arc 
comes from xi and whose two outputs arcs go to X2 and X3. 

• If xi = X2 + X3 e r (internal or external choice) then there are two transitions in 
P(T), that each have an input arc from xi and that respectively have an output 
arc to X2 and X3 . 

• If xi + X2 = X3 e r then there are two transitions in P(T), that respectively 
have an input arc from xi and X2 and that both have an output arc to X3. 

• If xi I X2 = X3 G r then there is a transition in P(T), whose two input arcs 
respectively come from xi and X2 and whose unique output arc goes to X3. 

The idea of the translation back from a Petri net to a local type is to identify the transi- 
tions and place patterns and convert them into local type transitions. 

Note that, in Figure 6, the inferred Petri Net will not give back the local type on 
the left: in the general case, going through the translation from local type to CFSM and 
then back to local type will only give an isomorphic local type. The traces are of course 
preserved. 
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C.4 Parallelism and local choice condition 

This subsection introduces the conditions that CFSMs should respect in order to cor- 
respond to well-formed local types projected from generalised global types. It extends 
the conditions that were sufficient for classical multiparty session types for two reasons. 
First, we now have concurrent interactions and the no-mixed choice condition does not 
hold anymore. Second, the well-formedness condition corresponding to projectability 
in classical multiparty session types needs to take into account the complex control 
flows of generalised multiparty session types. 

We start by a commutativity condition for mixed states in CFSMs: a state is mixed 
parallel if any send transition satisfies the diamond property with any receive transition. 
Formally: 

Definition C.3 (mixed parallel). Let M — {Q,C,qo,A,d). We say local state q in M 
is mixed parallel if for all {q,ii,(jfi),{q,£2,q'2) G 5 such that £i is a send and £2 is a 
receive we have {q[,£2,l'), (?2i^ii?') •= ^ f™" some q'. 

Next, we introduce two conditions for the choice that are akin to the local choice 
conditions with additional data of [13, Def. 2] or the "knowledge of choice" conditions 
of [7]. 

Definition C.4 (local choice condition). 

1. The set of receivers of transitions .vi ''"'"'y s,„^i is defined as Rcv{ti ■ ■ •?„,) = {q | 
3i<m,ti = (ii,pq?fl,i,+i)}. 

2. The set of active senders are defined as ASend{ti •••?„) = {p | 3/ < m, f; = (,?,-, pq!a, .s;+i ) A 
\/k< i. tii^ y^ {sit,-p'-plb,si^^i)} and represent the participants who could immediately 
send from state si. 

3. Suppose sq-^s and (p — (po-ti-(pi-t2-(p2- We write f 1 <if2 ih depends on f 1) if either 
(1) <P{act(t2)) = flcf(fi) or (2) subj{ti) = subj{t2) unless ti and f2 are parallel. 

4. We say (p = to ■ ti ■ t2- ■ -tn is the causal chain if sq-^s' and 9 C 9' with, for all 
0<k<n—\, there exists / such that / > k and f,t <f,. 

5. S satisfies the receiver property if, for all s e RS{S) and s-^si and s^S2 with 
act{ti) = pq,!fl,', there exist si-^s\ and 52-^*2 such that Rcv{(pi) = Rcv{(p2). 

6. 5 satisfies the unique sender property if sq^s\^s\ zxidso^S2-^s'2,^i^^act{ti) = 
pip?fli, act{t2) — p2p?fl2, fli 7^ fl2, ~^t\ <it2 and -^t2<ti, and (pfti the maximum 
causal chain. Then ASend{(pi • f 1 ) = ASend{(p2 ■ f2) = {q}- 

Together with multiparty compatibility, the receiver property ensures deadlock-freedom 
while the unique sender property guarantees orphan message-freedom. 

Proposition C.l (stability). Suppose S — {Mpjpgy and each M-g is deterministic. If(l) 
S is multiparty compatible; (2) each mixed state in S is mixed parallel; and (3) for any 
local state that can do two receive transitions, either they commute (satisfy the diamond 
property) or the state satisfies the unique sender condition, then S is stable and satisfies 
the reception error freedom and orphan message-freedom properties. 

Proof. The proof is similar to Proposition 4.1, noting that the unique sender condition 
guarantees the input availability. See Appendix D. D 
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Theorem C.2 (deadlock-freedom). Suppose S = {A^plpey satisfies the same condi- 
tions as Proposition C.l. Assume, in addition, that S satisfies the receiver condition. 
Then S is deadlock-free. 

Proof. We deduce this theorem from the stability property and the receiver condition. 
The proof uses a similar reasoning as Proposition 4.1. D 



We call the systems that satisfy the conditions of Theorem C.2 session-compatible. 

By the same algorithm, the multiparty compatibility property is decidable for sys- 
tems of deterministic CFSMs. It is however undecidable to check the receiver and 
unique sender properties in general. On the other hand, once multiparty compatibil- 
ity is assumed, we can restrict the checks to 1 -bounded executions (i.e. we limit (pi, (p2, 
(p[ and (P2 to 1 -bounded executions and RSi (S) in Definition C.4). Then these properties 
become decidable. Combining the synthesis algorithm defined below, we can decide a 
subset of CFSMs which can build a general, well-formed global type. 

C.5 Synthesis of general multiparty session automata 

Now all the pieces are in place for the main results of this paper. We are able to identify 
the class of communicating systems that correspond to generalised multiparty session 
types. 

The main theorems in this section follow: 

Theorem C.3 (synthesis of general systems). Suppose S = {M^jp^-p is a session- 
compatible system. Then there is an algorithm which builds G such that S ~ G. 

Proof. The algorithms is the following. We consider S = {Mpjpggj as the definition of a 
transition system. In this transition system, we only consider the 1 -bounded executions. 
This restriction produces a finite state LTS, where send transitions are immediately 
followed by the unique corresponding receive transition. In each of these cases, we 
replace the pair of transitions pp'Ia and pp'?fl by a unique transition p — >■ p' : a. To 
obtain the global type G, we then follow first the standard conversion to Petri nets and 
the equivalence between Petri nets and global types (similar to the one between Petri 
nets and local types). We conclude the equivalence by a version of Lemma 4. 1 adapted 
to session-compatible system. D 

Using the synthesis theorem, we are able to provide a full characterisation of gen- 
eralised multiparty session types in term of session-compatible systems. 

Theorem C.4 (soundness and completeness in MSA). Suppose S — {Mpjpgj is a 

session compatible system. Then there exits G such that 5 « G. Conversely, ifG is well- 
formed as in [11], then there exits S which satisfies the safety and liveness properties 
(deadlock-freedom, reception error-freedom and orphan message-freedom), and 5 « G. 

Proof. By Theorem C.3 and Theorem C.l with the same reasoning as in Theorem 4.3. 

D 
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D Appendix for Section C 

Projection We define the projection from a global type to a local type where ASend 
means that a set of active senders, which corresponds to the same definition in CFSMs 

(see [11]). 





def G in X C p 


= 


def G |"gp inx 


X : 


= p^p':a;x' tgp 


= 


x = p'!a.x' 




X : 


= p^p':fl;x' tgp' 


= 


X = pla.x' 




X : 


= p^p':a;x'rgp" 


= 


x = x'(p^{p,p'}) 




x|x'=x"rgp 


^ 


X 1 x' = x" 






x=x'|x"rgp 

x = x' + x" tgp 


_ 


X = x' 1 x" 

X = x' e x" 


(ifp=A5end(G)(x)) 




x = x' + x" tgp 


= 


x = x'&x" 


(otherwise) 




x + x' = x" tgp 


= 


x + x' = x" 






X = end tg p 


= 


X — end 





D.l Global type equivalence 

Below we define the equivalence relation =^ used in the LTS of the global types. 

X I X' =g X' I X X |(X' I X") =g (X I X') I X" 

X = x' e G X = x' I x" e G X I x' = x" e G 

X[x]^gX[x'] X[x]^gX[x'|x"l X[x|x'l^gX[x"] 



x = x' + x" eG x^x' + x" eG x + x' = x" eG x + x' = x" eG 
X[xl^gX[x'] X[x]^gX[x"] X[x]^~X[x"] X[x'l^gX[x"] 

Below we define the equivalence relation =j used in the translation in Definition 



C.l. 

X I X' =^ X' I X X |(X' I X") =f (X I X') I X" 

x = x'ef x = x'|x"ef x|x' = x"ef 



X[x] =f X[x'] X[x] =f X[x' I x"] X[x I x'] =f X[x"] 

x = x' &x" ef x = x' &x" ef x = x'®x" ef x = x'®x" ef 

X[x] =f X[x'] X[x] =f X[x"] X[x] =f X[x'] X[x] =f X[x"] 

x + x' = x"ef x+x' = x" ef 

X[x] =f X[x"] X[x'] =f X[x"] 

D.2 Proof of Proposition C.l 

Essentially we have the same as the proof of Proposition 4.1. Only difference is that we 
need to use the unique sender condition to ensure that the action ii is possible in (B.l) 
in the proof of Proposition 4. 1 (note that Ff is always possible in basic CFSMs since 
they are directed). 

Suppose, in (B.l) in the proof of Proposition 4.1, the action Ff is not possible: i.e. 
si-^S2-^s'2 but s'2 cannot perform -^. The only possibility is that some Mq contains 
the receiver state q such that {q,pq7a,q'), {q,-p'q!b,q") £ 5q which does not satisfy the 
parallel condition (since if so, S2 can perform -^), and (p2 contains the action p'q?^, 
which implies 92 contains the action p'qlfe. By the unique sender condition, there is 
the unique q' such that ^^^J^.?i and ^^^ <P-pq!«-9'-p'q!fc-'P"; ^/^ with ASend{(p ■ pqla) = 
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ASend{(p ■ pq!a • (p' ■ p'q^-b) == {q'}. Since -p'qlb cannot be reordered before pq!fl or after 
(pi, to satisfy the unique sender property, (p' should include pq?fl. This contradicts that 
the assumption that (p2 does not include pq?fl. 

D.3 Proof of Theorem C.2 

By (reception error freedom) and (orphan message-freedom), together with (stable- 
property), we only have to check, there is no input is waiting with an empty queue 
forever. Suppose by contradiction, there is s E RS{S) such that s = {q;£) and there ex- 
ists input state qp E q and no output transition from q^ such that ky^q. 

Then by assumption, there is a 1 -buffer execution (p and since (p is not taken (if so, 
qp can perform an input), then there is another execution (p' such that it leads to state s 
which is deadlock at qp. 

Case (1) Suppose (p does not include input actions at q except a, i.e. a is the first input 
action at q in (p. We let ^o for the prefix before the actions of qpla • qp?fl. 

By (receiver condition), we know p € Rcv{(p'). 

By the determinacy, the corresponding input action has a different label from a, 
i.e. q'p?fl' e (p' . By the diamond property, q'p?a' and qp?fl can be appeared from the 
same state, i.e. this state is under the assumption of the parallel condition. Hence by the 
multiparty compatibility, the both corresponding outputs q'p!a' and qp!fl can be always 
fired if one of them is. This contradicts the assumption that q^, is deadlock with label a. 

Case (2) Suppose (p includes other input actions at q before qp?fl, i.e. p e Rcv{(Pq). 
Let c^pla' the action which first occurs in ^o- By P G Rcv{(p'), there exists c^'-pla" G 
(p' . If q"p?fl" ^ q'p?fl', by the same reasoning as (1), the both corresponding out- 
puts are available. Hence we assume the case q"p?fl" ~ q'p?fl'. Let s is the first state 
from which a transition in (po and a transition in (p' are separated. Then by assump- 

tion, it s > si and s > S2, by assumption a ^ (poU (pi, hence 

q'p!a'q'p?a' , <Pq , q'p!a'q'p?a' , fi , , ,. . . „. 

s > s\ — > Si and s > $2 — > S2 by the diamond property again. Since 

s\ can perform an input at q by the assumption (because of qp?fl), (p[ should contain an 
input at q by the receiver condition. If it contains the input to q in (p[, then we repeat 
Case (2) noting that the length of (p[ is shorter than the length of (p\ ■ q'pla' • q'p?fl'; 
else we use Case (1) to lead the contradiction; otherwise if it contains the same input as 
qp?a, then it contradicts the assumption that q^, is deadlock. 
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